[IPython-dev] IPEP 3: Multiuser support in the notebook

Brian Granger ellisonbg@gmail....
Sun Sep 9 11:19:21 CDT 2012


On Sun, Sep 9, 2012 at 2:57 AM, Matthias BUSSONNIER
<bussonniermatthias@gmail.com> wrote:
>
> Le 8 sept. 2012 à 23:09, Carl Smith a écrit :
>
>> I'm not sure, but I don't think you can do cross-scripting in Chrome. Maybe other browsers will make this concern mute too. I'm not certain, but that's what I thought. I'm on my phone so I can't do much to look into it right now.
>
> Well, If I understand XSS it is pretty trivial to do with python notebook as we allow to embed script in .ipynb files.
> They might not be executable but a simple notebook with in a markdown cell :
>
> <a href='onclick=function(){alert('hello')}'> click me </a> should work.
> moreover you can embed iframes, ...Etc.
>
> So could forge a malicious ipynb file and ask you to view it through nbviewer.ipython.org.
>
> assuming you are logged to nbviewer.ipython.org, the scripts in this notebook has all your rights.
>
> For me, this is XSS.
>
> I won't imagine what people would try to do if you know that JS can send code to execute on the server side !

I am not sure I am following the discussion here.  The IPython
Notebook is designed to execute arbitrary python and javascript code.
we don't view that as a security vulnerability - it is our central
feature!  Is this what you are talking about or is there some other
subtle aspect you are referring to?

One thing you might be talking about is the fact that <script> tags in
markdown cells can be executed on page load without a user knowing
about them.  The markdown renderer we are using has the ability to
strip <script> tags.  We might want to do that so the only way that
javascript code can be run is by the kernel running code that sends
back dynamic javascript.  I am probably +0.5 on this idea currently.

> --
> Matthias
>
>
>>
>> _______________________________________________
>> IPython-dev mailing list
>> IPython-dev@scipy.org
>> http://mail.scipy.org/mailman/listinfo/ipython-dev
>
> _______________________________________________
> IPython-dev mailing list
> IPython-dev@scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev



-- 
Brian E. Granger
Cal Poly State University, San Luis Obispo
bgranger@calpoly.edu and ellisonbg@gmail.com


More information about the IPython-dev mailing list